Salem, OR—Today, Oregon Secretary of State Dennis Richardson released an audit of the Oregon Department of Revenue (DOR). The audit found that DOR has accomplished its goals of implementing sufficient controls in their GenTax computer system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid.

In 2013, DOR received initial project funding and approval to implement GenTax, a commercial, off-the-shelf product developed by FAST Enterprises. GenTax is an integrated tax processing software package that replaced most of DOR's legacy core systems, which were built on aging and obsolete software applications and databases from the 1980s. DOR implemented GenTax in four major rollouts with the fourth rollout completed in November 2017.

Auditors reviewed the GenTax application with a focus on the personal income, withholding, and corporate income and excise tax programs for tax periods ending in 2016. They also reviewed general computer controls associated with the system, including logical access, change management, and disaster recovery controls.

Auditors determined that computer controls provide reasonable assurance that tax return and payment information is appropriately received and processed, however, auditors found DOR could improve its controls over logical access and disaster recovery for this system. Specifically, they found:

Auditors made minor suggestions for improvements, such as tracking missing interface files to ensure proper resolution and notifying taxpayers if GenTax found withholding records the taxpayer did not claim.

It was determined by the auditors that logical access controls were generally sufficient to restrict GenTax access to appropriate users. They noted controls need strengthening to ensure managers have enough information to request appropriate access. In addition, they found controls should be improved to ensure timely removal of users who no longer require access.

The audit includes 11 recommendations to address needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center.